Tales from the wrong end - life as an open-source maintainer

Transcript

1. Marcus Bointon @SynchroM joind.in/talk/61f6a Once upon a time…

2. Tales from the wrong end Marcus Bointon @SynchroM Technical director,

   Synchromedia Limited & Smartmessages.net Maintainer of PHPMailer

3. Marcus Bointon @SynchroM joind.in/talk/61f6a What’s PHPMailer? • Email creation and

   sending class for PHP • Constructs RFC822 messages • text + HTML multiparts, attachments, headers, etc • Sends using PHP mail() function or SMTP • Authentication • SMTPS / SMTP+STARTTLS • No dependencies

4. Marcus Bointon @SynchroM joind.in/talk/61f6a PHPMailer Popularity

5. Marcus Bointon @SynchroM joind.in/talk/61f6a How did I end up here?

   2001 2010 2008 Synchro 2013 PHPMailer

6. Marcus Bointon @SynchroM joind.in/talk/61f6a Responsible disclosure • Someone finds a

   vulnerability • Reports it to vendor / maintainer • Vendor develops mitigation / patch • Typically 90 days allowed • Patch released • Vulnerability disclosed

7. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE Numbers • Common Vulnerabilities and

   Exposures • Provides a common reference for any vulnerability • Operated by Mitre Corp, funded by US gov (DHS) • https://cve.mitre.org • https://nvd.nist.gov/vuln/search • PHPMailer’s issues assigned numbers
 CVE-2016-10033, CVE-2016-10045

8. Marcus Bointon @SynchroM joind.in/talk/61f6a Type & Severity • Part of

   a CVE report • Common types: Remote Code Execution (“RCE”), SQL injection, XSS, Denial of Service (“DoS”) • Severity rating via the CVSS numeric scoring system, and/or a critical/high/medium/low rating • PHPMailer’s two CVEs were rated 9.8/Critical

9. Marcus Bointon @SynchroM joind.in/talk/61f6a What was the issue? <?php namespace

   PHPMailer\PHPMailer; require 'src/PHPMailer.php'; $mail = new PHPMailer; $mailSubject = 'test'; $mailsetFrom($_POST['email']); $mailaddAddress('[email protected]'); $mailBody = '<strong>hello</strong>'; $mailsend();

10. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE-2016-10033 • $params = sprintf('-f%s', $thisSender);

    • An attack string can be a valid email address! So we escape it, right? • $params = sprintf('-f%s', escapeshellarg($thisSender)); • At this point someone posted an exploit! • We had become a zero-day vuln • Rushed out a release as PHPMailer 5.2.18 • …also known as CVE-2016-10045!

11. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE-2016-10045 • We think we are

    doing this: • $mailcommand . escapeshellarg($param) • But mail() applies escapeshellcmd() internally! • escapeshellcmd($command . escapeshellarg($param)) • and the result of this is undefined and exploitable! • Workaround released in PHPMailer 5.2.20 • This is fundamentally a PHP bug

12. Marcus Bointon @SynchroM joind.in/talk/61f6a Getting help • The security researcher

    that reported the problem was very helpful • Reviewed and verified mitigations • Other researchers turned up to help • Not the usual contributors

13. Marcus Bointon @SynchroM joind.in/talk/61f6a Press & exposure • This was

    quite a big deal – affected Wordpress, Joomla, Drupal etc, millions of sites • Articles in Securityweek, Naked security, Hacker news, The Register, Reddit, SANS newsletter • Often misreported as input validation error • The usual PHP abuse, but comments on handling the vuln were generally positive • No personal abuse at all - no media contact either

14. Marcus Bointon @SynchroM joind.in/talk/61f6a Post-mortem • How had other PHP

    email libs fixed this? • They hadn’t! • Zend_Mail, SwiftMailer, RoundCube all vulnerable • Similar bugs in Python, Ruby, NodeJS libs • Researcher wrote a long article about the general vulnerability of PHP’s mail() function

15. Marcus Bointon @SynchroM joind.in/talk/61f6a Lessons learned • Don’t use mail()

    • Open source is awesome! • When it matters, people will help • It’s not all left to you • Security researchers and whistleblowers need effective legal protection as a matter of national policy

16. Marcus Bointon @SynchroM joind.in/talk/61f6a Why be a maintainer? Hi Marcus,

    I’ve been digging around PHPMailer GitHub issues a fair amount lately, and just wanted to say that I admire your diligence, patience, and sense of humor responding to a variety of comments from people of different competencies. Your broken light bulb analogy made me laugh out loud. The internet needs more people like you, sir. Cheers!

17. Marcus Bointon @SynchroM joind.in/talk/61f6a Donations? • Time, Effort, Enthusiasm •

    Beyond code - Support, coordination, documentation • Differentiate between project and personal • Paypal, Patreon • Make it easy!

18. Marcus Bointon @SynchroM joind.in/talk/61f6a Thank you to… • Dawid Golunski

    of legalhackers.com @dawid_golunski • Those who commented, submitted patches, reviewed code • All those users who provide feedback and bug reports every day • To every open-source project

19. Marcus Bointon @SynchroM joind.in/talk/61f6a — Richard Feynman “I would rather

    have questions that can't be answered than answers that can't be questioned” Questions

20. Marcus Bointon @SynchroM joind.in/talk/61f6a Marcus Bointon [email protected] @SynchroM Synchro on

    GitHub & Stack Exchange Feedback please! joind.in/talk/61f6a Thank you!
21. None